Use Nginx to configure a simple WEB application firewall
Source: Internet
Author: User
At present, most high-concurrency and high-performance WEB applications are developed by LNMP (Linux + Nginx + Mysql + PHP/Python) most WEB applications supporting high concurrency and performance are supported by the LNMP (Linux + Nginx + Mysql + PHP/Python) Environment Architecture. Nginx can be used as an independent HTTP service, it can also be used as an excellent reverse proxy server. at the same time, it can meet the needs of the backend server to accelerate cache, high availability, and load balancing. It can also act as a WEB Firewall (WAF: short for Web Application Firewall) it may be the first time you have heard of WAF, but with this layer of reinforcement, common vulnerabilities in the application layer of the service backend (SQL injection, xss, CC attacks, etc ), almost all of them can defend against attacks.
The following built-in variables or modules are mainly used as protection roles:
$ Query_string all string query parameters combined (URL request)
The Limit zone module allows you to define a zone, and then you can Limit the maximum number of concurrent connections allowed by the client to access the server by limiting the zone.
$ Query_string defends against SQL injection, xss, and other attack instances:
Server segment addition:
Access_log on; // Records attack logs
If ($ query_string ~ * ". * ['\ <\> \ (\)]. *") {# Determines whether the URL parameter source contains <, \, and so on. if it contains, error 403 is returned.
Return 403;
Access_log/home/www/logs/attack. log; # append the attack log
}
If ($ query_string ~ * "= \/| Union | select | \. \./") {# determines whether the URL parameter source contains a keyword. if it contains a 403 error
Return 403;
Access_log/home/www/logs/attack. log; # append the attack log
}
If ($ query_string ~ "(<| % 3C). * script. * (> | % 3E)") {# determine whether the URL parameter source contains . If it contains, error 403 is returned.
Return 403;
Access_log/home/www/logs/attack. log; # append the attack log
}
The rules here may not be complete, and the blind injection attack rules must be carefully considered. you can take corresponding protection measures according to your own rules.
The Limit zone and limit request modules prevent simple CC attacks:
Defined by limit_zone zone_name $ variable memory_max_size
Limit_conn testzone $ binary_remote_addr 10 m;
Limit_conn zone_name connection_limit;
Location/test/{limit_conn testzone 1 ;}
For the application of Limit request, see the manual.
The same request with one binary_remote_addr can only have one connection at the same time. if the connection exceeds the value, the Error 503 is returned.
The module here is hard to grasp the user's request level. although it has achieved basic protection and prompted the attacker with a 503 error, Nginx still provides services to the attacker, in this case, we recommend that you use DoS deflate to defend against cc attacks.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
